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Abstract — IT organizations are under increasing pressure to 
meet the business goals of their companies. This challenge 
can be particularly daunting because it involves complying 
with regulations, such as the SarbanesOxley Act (Sarbox) 
and Basel II. Compliance requires strong corporate 
governance capabilities that are demonstrable to outside 
auditors. Because IT plays such a major role in business 
processes, the IT organization not only creates complexity 
for the business, but at the same time, provides the means to 
demonstrate this compliance. Organizations rely on 
guidelines such as the IT Infrastructure Library (ITIL® ) and 
Control Objectives for Information and related Technology 
( COBIT ) to help understand and address these challenges. 
Keywords — Good practices, ITIL, process, COBIT, IT 
Governance, IT Strategy. 

I. INTRODUCTION 

COBIT and ITIL have been used by information 
technology professionals in the IT service management 
(ITSM) space for many years. Used together, COBIT and 
ITIL provide guidance for the governance and 
management of IT-related services by enterprises, 
whether those services are provided in-house or obtained 
from third parties such as service providers or business 
partners. 

Enterprises need to govern and manage their information 
and related technolog y assets and resources, and those 
arrangements customarily include both internal and 
external services to satisfy specific stakeholder needs. 
COBIT 5 aims primarily to guide enterprises on the 
implementation, operation and, where required, 
improvement of their overall arrangements relating to 
governance and management of enterprise IT (GEIT). 
ITIL provides guidance and good practice for IT service 
providers for the execution of IT service management 
from the perspective of enabling business value. 

COBIT 5 describes the principles and enablers that 
support an enterprise in meeting stakeholder needs, 


specifically those related to the use of IT assets and 
resources across the whole enterprise. ITIL describes in 
more detail those parts of enterprise IT that are the service 
management enablers (process activities, organizational 
structures, etc.). 

COBIT is broader than ITIL in its scope of coverage 
(GEIT). It is based on five principles (meeting stakeholder 
needs; covering the enterprise end to end; applying a 
single, integrated framework; enabling a holistic 
approach; and separating governance from management) 
and seven enablers (principles, policies and 
frameworks; processes; organizational structures; culture, 
ethics and behavior; information; services, infrastructure 
and applications; people, skills and competencies). 

ITIL focuses on ITSM and provides much more in - 
depth guidance in this area, addressing five stages of the 
service life cycle: service strategy, service design, service 
transition, service operation and continual service 
improvement. 

In addition, COBIT and ITIL are well aligned in their 
approach to ITSM. The COBIT 5 Process Reference 
Model, as documented in COBIT 5: Enabling 

Processes, maps closely to the ITIL v3 2011 stages. 

The distinction between the two is sometimes 
Described as “COBIT provides the ‘why’; ITIL 
provides the ‘ how. ’ ” While catchy, that view is 
simplistic and seems to force a false “one or the other” 
choice. It is more accurate to state that enterprises and 
IT professionals who need to address business needs in 
the ITSM area would be well served to consider using 
both COBIT and ITIL guidance. Leveraging the 
strengths of both frameworks, and adapting them for 
their use as appropriate, will aid in solving business 
problems and supporting business goals achievement. 
Many references reflect the best practices developed 
over the years. The reality is that each of them focuses on a 
specific matter: safety, quality, customer services, auditing, 
project development, etc... 
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ITIL (Information Technology Infrastructure Library) is a 
set of good practice structured as multiple processes 
communicating with each other. Each has its own role 
so that, at the end, they can both respond to the two 
issues, which are the continuous improvement and 
customer satisfaction. 

COBT Is a reference of information systems; the 
perimeter of COBIT governance (created by IS AC A 
Information Systems Audit and Control Association) 
exceeds the one vested in the management of information 
systems to all stakeholders encompass in the 

company. Malthus, According To COBIT, "governance of 
information systems Is The reference of leaders and the 
Board of Directors, it Consists of structures, command and 
operation processes leading the IT of the 
enterprise tosupport its strategies and business objectives, 
and allow them to expand." 

This article helps to highlight the completeness and pooling 
possible between these two references based on the 
perspective of developing a version of COBIT that 
includes the most used processes of ITIL. 

II. UNDERSTANDING TIL 

To define ITIL, you must be in a context of 
continuous improvement and customer orientation needs. 
ITIL is a set of good practice structured as multiple 
processes communicating with each other. Each has its 
own role so that, at the end, both can respond to the two 
issues which are: the continuous improvement and 
customer satisfaction. 

ITIL is not a standard because it does not provide 
criteria or a requirement-set defined internationally and 
certifying the organizations. 

ITIL is not a methodology or method. It provides and uses 
methods to better explore the good practice. 

The good practices provide organizations a structure, 
approved by years of experience in large companies 
globally recognized for their professionalism and 
thoroughness, to formalize their processes and manage 
their information. These good practices are used primarily 
as guidelines to companies serving businesses wishing to 
improve their quality of service. 

However, to take advantage of the power of all good 
practices proposed by ITIL, and following the worldwide 
recognition of the robustness of its processes, a standard 
was created in 2006 based on these good practices. This 
standard called IS020000 international came out to meet 
the needs of companies wishing to demonstrate their 
alignment with the good practices recommended by ITIL. 


III. WHY ITIL? 

ITIL provides a pragmatic approach to deal with the 
situations in which CIOs are faced, namely, among others: 

• The IT sector is receiving more and more investment 
budget. It represents important expenses especially for 
companies to whom; the main business isn’t focused on 
computing. 

• Information systems are becoming more complex. As long 
as the IT workers are trying to meet the requirements 

and demands of their internal customers, they find 
themselves facing an infrastructure and a large arsenal 
application that must be managed and maintained 
while trying to be responsive. 

•With the advent of new technologies of information and 
communication (social medias ...) , users have become 
up - to - date with all high - tech news. 

Especially since the editors have popularized their 
software’s (advent of open source) and 
telecommunications Infrastructure (mobile phone). 

•As long as companies have spent enormous sums of 
money for the IT infrastructure (hardware and software), 
the leaders expect a return on investment and begin to 
tighten the budgets. Thus, the d iff icu It situations 
the CIOs have to face. 

• Globalization has played its part too. It introduced the 
practices of service between recharges its subsidiaries. 
This new situation has opened the eyes of CIOs who want 
to bill their services to their internal customers. 

• All this was said, made the ambiguous role of the CIO. 
With the mode of outsourcing, the user begins to ask 
questions about the added value of CIOs as external 
suppliers support their claims with contracts and a 
better reactivity. 

• For companies specialized in IT, being certified or 
certifying their staff improve their reputation and 
trust of their internal or external customers. This 
certification is a label that the CIO can show to proof their 
professionalism with standards recognized worldwide. 
Client axis : 

For this axis, ITIL will respond to the: 

• Lack of mechanism structured for delivery and service 
support. 

• Lack of confidence in the management of IT services. 

Management axis: 

• Mismanagement of resources and means. 

• Failure of service in a frequent way. 

• Irregularity in meeting the deadlines of requests and 
Claims of customers. 

• Changes or modifications not coordinated or analyzed. 
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Decision Axis: 

• Decisions are made without any pragmatic basis. 

IV. THE BASIC CONCEPTS OF ITIL 

Mainly, ITIL is based on five pillars: 

• Customer focus. 

• The life cycle of service. 

• The concept of process. 

• Continuous improvement. 

• Communication. 

Customer focus 

This concept is crucial for managing IT services. It makes 
the customer needs the main concern of the IT specialist. 
Thus, what’s important is not focusing on 
new technologies and the power of servers 
and telecommunications but rather meeting the functional 
need of the customer in the most faithful and most optimal 
way. 

Taking into consideration the business needs of the 
customer and make them the main concern of the IT 
management is the reason to be of the IT services. 

It is then necessary to fully understand the customer needs, 
follow up their development and establish an organization 
that supports them expressing and monitoring these needs. 

The life cycle of service 

Before describing the life cycle of the service, we must 
first explain its concept. In general, the service can be 
defined depending on the context. 

In a restaurant we can evaluate the service: smiles, 
atmosphere, responsiveness,... 

In a tennis match, the service is a trigger of play 

In an organization, a service is an entity having a function 

and a task performed by a group of staff. 

In the IT field, a service is defined as a benefit, help or 
assistance a user can expect from a supplier. 

In daily life of IT projects, and after the post— production 
of projects, CIOs find themselves faced with two situations: 

• Whether the operations team was not involved in the 
project since its design, creating a frustration having to 
deal with tasks from which they don’t understand the 
point in the business. 

• Or the project team, as it masters the issue, continue the 
project in the operational phase. This generates 
organizational failures and conflicts of responsibility. 

To avoid this kind of anomaly, ITIL provides the solution 
and advocates considering the management of services 
from the needs study of the IT projects. Thus, the 
overlapping roles of the project team and operations team 
are avoided and the operating team is aware of the stakes 
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of the project and its services as well as the benefits. 

This makes sure that the resources and expertise required 
for the operation of services after their releases are 
available. This involves taking into consideration the 
impact of performance, availability and budget since the 
start of the project. 

The process concept 

The concept of life cycle brings all necessary elements for 
successful projects from the specification of needs by 
customers until the go — live of services. 

The concept of process has demonstrated its robustness 
when quality is the matter. ITIL has adopted this approach 
to structure the philosophy of its good practices as 
multiple processes interacting between each other. 

This concept of process provides answers to the sequence 
of activities while undergoing examinations and 
performance indicators measuring the achievement of 
results for which the process was designed. 

The process owner is responsible for the design of the 
process and ensures that it meets the need defined. He 
reports to company executives. 

The process manager is responsible for implementation of 
the process as it was defined by process owner to which 
he reports. 

The quality of service 

This concept is the raison d’etre of the good practices. 
Quality service is defined as it has the ability to respond to 
customer needs exactly as they were defined. The client 
judges their supplier, not based on their how - to 
-methods but rather based on their appreciation of the 
result within the deadline expected, while respecting the 
specifications defined. 

In that sense, ITIL seeks to improve service in a perpetual 
manner based on the philosophy of Deming wheel: Plan, 
Do, Act, Check. 

Communication 

One of the contributions of ITIL is the good 
Communication. It harmonizes the language between 
customers and suppliers. This language removes any 
ambiguity when the IT specialists talk about the SLA 
agreement, incident, problem, change, ... 

The good communication is an important component of 
the service quality. Business Directions must understand the 
issues of IT, their constraints and commitments. The 
communication also facilitates the negotiation of budgets, 
as projects come directly from business requirements. 

The communication also reflects the transparent aspect of 
the CIO. This is to convey a clear picture to users, a 
picture illustrating the negative aspects and most of all the 
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positive ones of the IT management and the efforts of IT 

resources. 

V. COBIT DEFINITION 

COBIT (Control Objectives for Information and 
related Technology) is a unifying tool that allows 
managers to bridge the gap between control 
requirements, technical issues and business risks. Since its 
first version released in 1996 COBIT has evolved, version 
4.1 appeared in 2007. COBIT provides a framework for 
structured control IT operation with 34 processes divided 
into four areas: 

• Plan and organize (PO) 

• Acquire and implement (AI) 

• Deliver and support (DS) 

• Monitor and evaluate (ME) 

The four fields of CobiT include coherent sets of 
processes. PO represents the field of strategic dimension 
of IT governance. The AI field gathers all processes that 
impact resources, from acquisition to implementation. 

The DS field is devoted to services offered to clients of 
the CIO. Finally, the SE field covers largely the 
controlling, audit and monitoring of everything. 

COBIT processes 

For each of the 34 process, COBIT describes the scope 
and purposes and then list and develop: 

• Control objectives for IT auditors, which are detailed in 
other publications; 

• A management guide written in a logic of governance SI; 

• A maturity model for each process. 

Processes plan and organize (PO): 

The processes described in this chapter discuss the 
strategy and tactics to optimize the contribution of IS to 
achieve the business objectives of the company. 

The processes of this field are the following: 

• POl : Defining a strategic IT plan 

• P02: Defining the information architecture 

• P03: Determining technological orientation 

• P04: Defining the processes, organization and labor 
relations 

• P05: Managing IT investments 

• P06: Communicate the goals and 

management guidelines 

• P07 : Managing IT human resources 

• P08: Managing Quality 

• P09: Assessing and managing risks 

• PO10: Managing projects 

The PO field describes the 10 strategic information 
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systems governance process. It concerns both huge CIOs 
as well as CIOs which have outsourced most of their 
projects or their operations. 

We can couple COBIT with other references, but the PO 
field will remain Essential. 

Processes acquire and implement (AI): 

The processes described in this chapter concerns the 
identification, development or acquisition of IT solutions, 
their implementation and integration with business 
processes, modification and maintenance of existan 
systems systems. 

The processes of this area are the following: 

• AI2: Purchase applications and maintain them 

• AI3: Purchase a technical infrastructure and maintain it 

• AI4: Facilitate the operation and use 

• AI5: Purchase IT resources 

• AI6: Manage change 

• AI7 : Install and validate changes and solutions 
Projection of the AI process to ITIL 

The AI field covers all of the applications and 
infrastructure projects as well as all patches and any kind 
of change in the scope of information systems. It is similar 
to the chapter Transition Service of ITIL V3. 

Some will find that the piloting the project itself is not 
there. It is true that the AI2 process, which covers both the 
development and maintenance of applications, should be 
more explained. It is on this level that we must link the 
project management methods that exist elsewhere. 
However, this field has the advantage of 
describing Processes that are often ignored, such as the AM- 
process (Facilitate the operation and use), or Neglected, 
Such as All process (decision making or not) and AI6 / 7 
(change management, testing and production). 

Processes Deliver and Support (DS) 

This area covers the implementation of services: computer 
operations, security management, continuity management 
service, user support, data management and equipment. 

The processes of this area are the following:* 

DS 1 : Define and manage service levels 

• DS2: Manage third-party services 

• DS3: Manage performance and capacity 

• DS4: Ensure continuous service 

• DS5: Ensure security of systems 

• DS6: Identify and allocate costs 

• DS7 : Educate and train users 

• DS8: Manage support to clients and incidents 
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• DS9: Manage configuration 

• DS 10: Manage problems 

• DS 1 1 : Manage data 

• DS12: Manage the physical environment 

• DS 13: Manage operations 

Projection ofDS processes to ITIL 

The DS field describes completely the conditions of IT 
services supply. It first described the relationship with the 
trades (DS1) and with third parties (DS2). This preamble 
allows all contractual services. 

Essentially, this field is the closest to the related ITIL 
processes. Only DS7 seems not to be described in ITIL. 

Processes monitor and evaluate (ME): 

The processes described in this chapter deal with the 
performance management, monitoring of internal control, 
compliance with regulatory standards and governance. 

• The processes of this field are the following: 

• ME1 : Monitor and evaluate the performance of IS 

• ME2: Monitor and evaluate internal control 

• ME3: Ensure compliance with external obligations 

• ME4: Implement a governance of IS 

Projection of ME processes to ITIL 

The process of ME domain describe four levels of 
monitoring and evaluation of the whole system (PO, AI 
and DS). Where the process is SE1 the main role as it 
controls it fully. It should be the starting point for all 
deployed processes’ improvement (a little bit like the 
"continuous improvement" in ITIL V3). 

ME2 process is more difficult to identify because it is 
made to monitor the well — functioning of the above 
process. This requires an independent responsible, 
preferably in internal audit, should be designed. 

ME3 process has the advantage of isolating the monitoring 
over compliance. Finally, ME4 provides a way to audit the 
implementation of the governance of IS. 

VI. TOWARDS A POOLING OF COBIT AND 

ITIL. 

ITIL structures its approach of the services ’ 
management around the relationship with stakeholders: 
daily IT service users and project managers 
for controlling (businessmanagers, etc.).. COBIT, in 
the same way, has systematically put beforehand the 
finality of IT services, including meeting the needs of 
business and the desire to align supply with demand. Both 
approaches share the same values regarding the 


management of IT services. 

The figure below lists the COBIT processes that are 
closest 

to the ITIL processes. Note that the names of the 
process are often the same, reflecting the growing 
awareness of ITIL with COBIT designers over the versions. 
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Why pooling? 

The steps ITIL and COBIT are often conducted separately. 
ITIL was a response to better structure the service centers 
which are, for the same reason, the only function to be 
represented as the heart of the process. The procedures of 
the service center concerning the incident management 
(structuring levels, climbing, registration tickets call, 
enrichment databases resolution, etc.) had to industrialize 
to meet the demands at lower cost. 

Simultaneously, a growing number of organizations are 
outsourcing the support functions, which were not 
necessarily in their core business and seem complicated to 
manage and optimize in— house. As for tools, editors have 
offered more accomplished ones, able to handle all 
procedures and linking them to a database of resources in 
the broad sense (call tickets, configuration objects, but also 
job descriptions, etc.).. All this "arsenal" was built with the 
ITIL framework. 

The key points to consider in order of pooling the two 
approaches are as follows. 

• Reconcile two cultures 

ITIL culture is pragmatic, constantly confronted with the 
daily issues and geared more towards the service (service 
continuity, performance), it often manages data objects in a 
level of detail that only applies to players in the support, 
maintenance or operation. COBIT, however, may be 
perceived as too theoretical, not often useful nor concrete 
enough to be deployed easily and effectively. 
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• Structuring the whole repository 

Avoid duplication of processes, which inevitably occurs if 
one does not describe a mapping process to ensure overall 
consistency. 

• Make the link with the studies and developments 

ITIL has trouble spread to the teams of studies and 
development. It is recognized neither in the management of 
projects at the elementary level or in the overall 
management of portfolios and investments. 

COBIT has the advantage of giving a comprehensive 
framework that provides a process of transition, PO10 
between ITIL and studies. 

• Gradually build the data of the ISD model 

ITIL gains are interesting but the risk of falling into the 
details is big. We must rely on the CMDB to create the 
data model of the CIO, ensuring distance themselves and 
define the granularity of the data relevant for control. 

VII. TOTAL MAPPING BETWEEN ITIL AND 

COBIT 

Below reconciliation between the phases and processes of 
the two repositories, ITIL correspondence is in italics. 

Reconciliation of phases 

• Planning and Organizing (PO) => Service strategy 

• Acquiring And Implementing (AI) => Service 
conception 

• Delivering and Supporting (DS ) => Transition and 
operation of service 

• Monitoring and evaluating (ME) => Continuous 
improvement of service 

Reconciliation of processes 

• POl: Define a strategic IT plan => Set service strategy 
(Strategy service) 

• P02: Define the information architecture 

• P03: Determine technological direction 

• P04: Define the processes, organization and labor 
relations 

• P05: Manage IT investment => financial Management 
of service (strategy of service) 

• P06: Communicate the goals and management 
guidelines 

• P07 : Managing IT human resources 

• P08: Managing Quality 
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• P09: Assess and manage risk 

• PO10: Manage projects 

• All: Find IT solutions => Management and deployment 
into production (Phase transition of service) 

• AI2: Purchase applications and maintain them 

• AI3: Purchase a technical infrastructure and maintain it 

• AI4: Facilitate the operation and use 

• AI5: Purchase IT resources 

• AI6: Manage change => Change Management (Phase 
transition of service) 

• AI7: Install and validate changes and solutions => 
Management and deployment into production (Phase 
transition of service) 

• DS1: Define and manage service levels => Service 
Level Management (Design Phase) 

• DS2: Manage third — party services => Supplier 
Management (Design Phase) 

• DS3: Manage performance and capacity => Capacity 
Management (Design Phase) 

• DS4: Ensure continuous service => Continuity 
Management (Design Phase) 

• DS5: Ensure security of systems => Security 
Management (Design Phase) 

• DS6: Identify and allocate costs => Financial 
Management Service (Strategy service) 

• DS7: Educate and train users => Management and 
deployment into production (Phase transition of service) 

• DS8: Manage support to clients and incidents => 
Incident Management (Operation Phase) 

• DS9: Manage configuration => Asset management and 
configuration (phase transition) 

• DS10: Manage problems => Problem Management 
(Operation Phase) 

• DS 1 1 : Manage data 

• DS12: Manage the physical environment 

• DS13: Manage operations => (This is a phase according 
to ITIL) 

• ME1: Monitor and evaluate the performance of IS => 
Phase of continuous improvement of service 

• ME2: Monitor and evaluate internal control => Phase of 
continuous improvement of service 

• ME3: Ensure compliance with external obligations 

• ME4: Implement a governance of IS => Portfolio 
Management Service (Phase service strategy) 
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VIII. RECOMMENDATION FOR A SUCCESSFUL 
APPROACH FOR POOLING 

When used together, COBIT and ITIL provide a top 
“Down approach for the IT governance and for 
the management of services. The COBIT management 
guide provides a comprehensive approach to 
manage objectives and priorities for IT activities. 

When used together, the power of both approaches is 
amplified, with a greater likelihood of management 
support and direction, and a more efficient use of 
resources for implementation. 

Structuring the process 

The organization needs an effective action plan that suits 
their particular circumstances and the needs, but some 
recommendations are common to all businesses: 

• Ensure that the project of setting up standards of 
governance is in terms of senior management and will be 
sponsor of this project. 

• Deficiencies and ensure that IT issues are identified and 
listed 

• Work with management in ensuring alignment of 
initiatives with positive impacts on business activities of the 
company. 

• Developing dashboards to measure the performance of 
IT services 

Planning 

Establish an organizational framework (ideally as part of a 
global initiative of IT governance) with clear 
responsibilities and objectives. 

Ensure the participation of all stakeholders. 

• Identify proj ect risks 

• Develop strategies for improvement, and decide of the 
highest priority projects that will improve management and 
governance. 

• Consider supporting COBIT control objectives using 
the most detailed ITIL guidelines. 

• Measure results, establish a dashboard mechanism to 
measure current performance and monitor the results of 
further improvements. 

Pitfalls to avoid 

There are also some obvious rules, but pragmatic, that 
management should follow to avoid the pitfalls: 

• Treat the initiative to implement a project activity with a 
series of phase. 

• The implementation involves cultural change and new 
processes. Therefore, a key success factor is the 
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activation and motivation for change. 

• Make sure there is a clear understanding of objectives. 

• Manage wait times. In most companies, achieving 
success takes time and requires continuous 
improvement. 

• Focus first on where it is easier to make changes and 
improvements and build from there, one step at a time. 

IX. CONCLUSIONS 

The reference of good practices was designed to meet a 
need of structuring the service of processes management, it 
responds to this need with more details and efficiency and 
also, ITIL remains the most deployed reference in the 
management of IT infrastructure and service. 

On the other hand, COBIT gives a more strategically view 
of IT management for a better alignment of IT with the 
enterprise strategy. 

Thus, managers of information systems are faced to two 
interesting references. Yet each one has a terminology, its 
processes and methodology of implementation. This article 
has put the focus on processes and common objectives of 
these references and the fields of possible pooling. One of 
the perspective of this paper is to design a version of 
COBIT that fully integrates common ITIL processes. 
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